2015-01-15 - GUEST BLOG ENTRY BY JACK MOTT - ANOTHER UPATRE/DYRE PHISHING WAVE

ASSOCIATED FILES:

 

NOTES:

 

PHISHING EMAIL INFORMATION

OVERVIEW:

 

EXAMPLE OF THE MESSAGE:

Sir/Madam,

Please download document from dropbox, payment advice is issued at the request of our customer. The advice is for your reference only.

Download link:

hxxp://www.example.domain/NATWEST_RELEASES/bankline.html

Yours faithfully,
Global Payments and Cash Management
HSBC

***************************************************************************

This is an auto-generated email, please DO NOT REPLY. Any replies to this email will be disregarded.

***************************************************************************
Security tips

1. Install virus detection software and personal firewall on your computer. This software needs to be updated regularly to ensure you have the latest protection.
2. To prevent viruses or other unwanted problems, do not open attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of this payment as soon as possible.

*******************************************************************
This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail.

Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.
*******************************************************************
"SAVE PAPER - THINK BEFORE YOU PRINT!"

 

TRAFFIC CHARACTERISTICS

LINKS FROM THE EMAILS:

 

SOME TRAFFIC GENERATED BY THESE LINKS:

 

FIDDLER INFO

EXAMPLE OF THE TRAFFIC SEEN:



NOTE: Click on the image to see it in a separate browser window.

 

MALWARE INFO

DOWNLOADED ZIP FILE:

File name:  doc172_pdf.zip
MD5 hash:  b4157a9f819a9aeb401a4b7784f7916e
VT:  25/57 - https://www.virustotal.com/en/file/b3a5fdcca34a55c4b7e0010e1202ae56c38137ac96e4dddf9f31f103859187bb/analysis/

EXTRACTED MALWARE:

File name:  doc255_pdf.exe
MD5 hash:  b4157a9f819a9aeb401a4b7784f7916e
VT:  25/57 - https://www.virustotal.com/en/file/8cd4a12cf21a4e1f9bf2da069be51b52c777328ae6ed87ce29b495412773cd72/analysis/

NOTES:

 

ADDITIONAL INFO

EXAMPLE OF AN HTTP GET REQUEST GENERATED BY THE UPATRE DOWNLOADER:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.